CVE-2023-36934
published 2023-07-05CVE-2023-36934: In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a…
PriorityP191critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
94.84%
99.8th percentile
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| progress | moveit_transfer | < 12.1.11 | 12.1.11 |
| progress | moveit_transfer | >= 13.0.0 < 13.0.9 | 13.0.9 |
| progress | moveit_transfer | >= 13.1.0 < 13.1.7 | 13.1.7 |
| progress | moveit_transfer | >= 14.0.0 < 14.0.7 | 14.0.7 |
| progress | moveit_transfer | >= 14.1.0 < 14.1.8 | 14.1.8 |
| progress | moveit_transfer | >= 15.0.0 < 15.0.4 | 15.0.4 |
Detection & IOCsextracted from sources · hover to see the quote
url/human.aspx
path/human.aspx
path/machine.aspx
path/api/v1/auth/token
otherhttp.favicon.hash:989289239
othericon_hash=989289239
commandINSERT INTO activesessions (SessionID) values ('<session>');UPDATE activesessions SET Username=(select Username from users order by permission desc limit 1) WHERE SessionID='<session>'
cookiesiLockLongTermInstID=0
- →Exploit targets /human.aspx endpoint with SQL injection payload in the Username query parameter, injecting into the activesessions table to forge an authenticated session.
- →Exploit chain uses four sequential HTTP requests: POST to /human.aspx (SQLi), POST to /human.aspx?ep= (pass change), POST to /machine.aspx (session), POST to /api/v1/auth/token (token retrieval). Successful exploitation returns access_token, refresh_token, token_type, and expires_in in the response body.
- →Attacker sets LastTouch to a far-future date (2099-06-10) in the activesessions table to keep the forged session alive.
- →Token request to /api/v1/auth/token uses grant_type=session with arbitrary username/password, relying on the previously injected session cookie for authentication bypass.
- →GreyNoise observed low-volume exploitation attempts against CVE-2023-36934 on June 12, 2025, during a period of heightened MOVEit Transfer scanning. Monitor for scanning IPs concentrated in Tencent Cloud ASN 132203. ↗
- →303 IPs (44%) of MOVEit Transfer scanners originate from Tencent Cloud ASN 132203; other sources include Cloudflare (113 IPs), Amazon (94), and Google (34). Elevated scanning (200–300 unique IPs/day) began May 27, 2025. ↗
- →Content-Type for exploit requests is application/x-www-form-urlencoded; the initial signon transaction body is 'transaction=signon'.
- ·The SQL injection payload selects the highest-privileged user from the users table (ORDER BY permission DESC LIMIT 1) to impersonate, meaning the forged session will have the permissions of the most privileged account in the database.
- ·Vulnerability is unauthenticated — no prior credentials or session are required to trigger the SQL injection via the MOVEit Transfer web application endpoint. ↗
- ·Affected versions span a wide range: before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4). Ensure all branches are patched. ↗
- ·EPSS score of 0.91212 (99.652nd percentile) indicates very high probability of exploitation in the wild; treat as high-priority patching target.
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xv78-4qjf-hjxf: In Progress MOVEit Transfer before 2020
ghsa_unreviewed·2023-07-05
CVE-2023-36934 [CRITICAL] CWE-89 GHSA-xv78-4qjf-hjxf: In Progress MOVEit Transfer before 2020
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.
VulnCheck
Progress MOVEit Transfer Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2023·CVSS 9.1
CVE-2023-36934 [CRITICAL] Progress MOVEit Transfer Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Progress MOVEit Transfer Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.
Affected: Progress MOVEit Transfer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations a
No detection rules found.
Nuclei
MOVEit Transfer - SQL Injection
nuclei·CVSS 9.1
CVE-2023-36934 [CRITICAL] MOVEit Transfer - SQL Injection
MOVEit Transfer - SQL Injection
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.
Template:
id: CVE-2023-36934
info:
name: MOVEit Transfer - SQL Injection
author: rootxharsh,iamnoooob,pdresearch
severity: critical
description: |
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (1
Greynoiseio
Surge in MOVEit Transfer Scanning Could Signal Emerging Threat Activity
blogs_greynoiseio·2025-06-25
Surge in MOVEit Transfer Scanning Could Signal Emerging Threat Activity
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Trendmicro
2H 2023: Mehr aktive RaaS-Gruppen und mehr Opfer
blogs_trendmicro·2024-04-16·CVSS 9.8
[CRITICAL] 2H 2023: Mehr aktive RaaS-Gruppen und mehr Opfer
Ransomware
## 2H 2023: Mehr aktive RaaS-Gruppen und mehr Opfer
Unser aktueller Bericht zur Lage und den Trends der Ransomware-Landschaft in der zweiten Hälfte 2023 verdeutlicht, dass die Gruppen LockBit, BlackCat und Clop für die meisten Angriffe mit der höchsten Anzahl an Opferunternehmen verantwortlich waren.
By: Shingo Matsugaya Apr 16, 2024 Read time: ( words)
Save to Folio
Unser detaillierter Bericht basiert auf Daten aus den Leak-Sites von RaaS- und Erpressergruppen, der Open-Source-Intelligence (OSINT)-Forschung von Trend und den Telemetriedaten von Trend Research, die vom 1. Juli bis 31. Dezember 2023 gesammelt wurden. Global lässt sich ein Anstieg der aktiven RaaS-Gruppen parallel zu den wachsenden Opferzahlen feststellen. Bereits seit 2022 gehörten LockBit und BlackCat durch
Unit42
Threat Brief - MOVEit Transfer SQL Injection Vulnerabilities: CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 (Updated Oct 4)
blogs_unit42·2023-10-04·CVSS 9.8
CVE-2023-34362 [CRITICAL] Threat Brief - MOVEit Transfer SQL Injection Vulnerabilities: CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 (Updated Oct 4)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief - MOVEit Transfer SQL Injection Vulnerabilities: CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 (Updated Oct 4)
Unit 42
Published: October 4, 2023
High Profile Threats
Threat Research
Vulnerabilities
CVE-2023-34362
CVE-2023-35036
CVE-2023-35708
CVE-2023-36934
MOVEit
Update October 4: We have added additional information using data gathered from Advanced Threat Prevention.
Update July 7: We cover the most recently disclosed vulnerabilities in MOVEit Transfer, as well as the July 2023 service pack.
## Executive Summary
On May 31, Progress Software posted a notification alerting customers of a critical Structured Query Language injection (SQLi) vulnerability (CVE-2023-34362) in their MOVEit Tra
Unit42
Threat Brief - MOVEit Transfer SQL Injection Vulnerabilities: CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 (Updated Oct 4)
blogs_unit42·2023-10-04·CVSS 9.8
CVE-2023-34362 [CRITICAL] Threat Brief - MOVEit Transfer SQL Injection Vulnerabilities: CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 (Updated Oct 4)
Update October 4: We have added additional information using data gathered from Advanced Threat Prevention.
Update July 7: We cover the most recently disclosed vulnerabilities in MOVEit Transfer, as well as the July 2023 service pack.
## Executive Summary
On May 31, Progress Software posted a notification alerting customers of a critical Structured Query Language injection (SQLi) vulnerability (CVE-2023-34362) in their MOVEit Transfer product. MOVEit Transfer is a managed file transfer (MFT) application intended to provide secure collaboration and automated file transfers of sensitive data.
Update: On June 9 and June 15, Progress Software alerted customers of additional SQL Injection vulnerabilities (also rated critical by Progress and got assigned CVE-2023-35036 and CVE-2023-35708, re
Checkpoint
10th July – Threat Intelligence Report
blogs_checkpoint·2023-07-10
CVE-2023-36934 10th July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 10th July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 10th July, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
Japan’s Port of Nagoya, which handles 10% of Japan’s trade volume, has shut down its activity for 2 days after being hit by a ransomware attack. The port’s management attributed the attack to LockBit ransomware group.
Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.Lockbit
NCSC
A method to assess 'forgivable' vs 'unforgivable' vulnerabilities
ncsc·2025-01-28
A method to assess 'forgivable' vs 'unforgivable' vulnerabilities
Report Download & print article PDF Download & print article PDF
## A method to assess 'forgivable' vs 'unforgivable' vulnerabilities
Research from the NCSC designed to eradicate vulnerability classes and make the top-level mitigations easier to implement. Fahmi Ruddin Hidayat via Getty ImagesOn this page
- Scope
- Background
- Research methodology
- Assessing ‘ease of implementation'
- Analysis of top-level mitigations
- Worked example: applying methodology to a recent vulnerability
- Conclusions
- References
## Executive Summary
All systems contain vulnerabilities. In fact, the number of Common Vulnerabilities and Exposures (CVEs) in commodity technology continues to rise. While there are a number of factors that are driving the increasing numbers, the NCSC expect this trend to conti
2023-07-05
Published
Exploited in the wild